Event

I received several spam messages from contacts of mine, all of whom were knowledgeable about IT security, and avid users of password managers and two factor authentication. The spam messages were simple links via Baidu or LinkedIn open redirect endpoints. The links had been tagged with my owner username, likely to give them info on whose accounts to target next.

After a little bit of digging, I found vulnerabilities in my own Skype account setup. I expect many people to be in similar position, based on Microsoft + Skype’s approach to account migrations over the years.

Impact and Risk

These vulnerabilities are simple to close. Leaving them open leaves you at high risk of being the source of embarrassing spam messages to your contacts, and potentially being locked out of your Skype account for good. (Skype accounts aren’t always linked to email addresses, making the password recovery process notoriously difficult.)

Issue

Long time users of Skype will have set up their Skype account under a username. Mine was tathamoddie. The sign up flow never used to prompt for an email address or phone number. (It does now.)

After Microsoft acquired Skype, they added support for ‘linking’ a Microsoft account to your Skype account. This allowed me to login to my Skype account via my Microsoft Account (tatham@oddie.com.au). Anybody who has used the Windows 8 or Windows 10 apps for Skype will have been encouraged down this path.

Linking a Microsoft account never prevented the Skype-based sign in.

Skype accounts have never supported two-factor authentication.

Skype accounts are actively being compromised via simple username + password authentication, with no second factor validations in play. Skype are stating that this is most likely due to credential re-use, however I know of one IT security professional whose account was compromised despite using a unique password that was always stored in a password manager. Considering the simplicity of Skype’s overall approach to authentication, and their rather broad range of client APIs, I’d postulate that there’s some brute forcing in play as well, or there has been a credential leak.

Future

As part of this process, they’re supporting the use of multiple ‘aliases’ for each account. These are essentially multiple usernames. This allows you to login using your email address, your mobile number, or your Skype username. They’re rationalising down to one password and one approach to proofs though.

Today we are excited to announce that you can now use your Skype Name to sign into other Microsoft services like Xbox, Office and OneDrive. If you have any questions or want to find out more, please visit our FAQ.

Based on the migration experience, I don’t believe that there’s any way to use an old Skype account to compromise a Microsoft account by bypassing MFA controls, however it doesn’t hurt to hurry up and close off the old login vector now. That’s exactly what we’ll do to apply this security fix.

This happened to me, although there has been additional weirdness as well so I thought I’d post as this is the only thing I’ve found on this issue. (Skype support has as per usual been hopeless.) There are clearly many issues with the account unification transition.

I’ve had my Skype and Microsoft accounts linked for over a year now, and have since always logged in with my Microsoft account enabled with two factor authentication. My Microsoft account has a unique password. So I was very shocked when I woke up Saturday to the news that my Skype account had been compromised and used to send Baidu links (of the first variety above) to all my contacts.

Evidently they were able to log into Skype using my old Skype user name and—as I surmise from your post and others—my old Skype password. (According to the account activity screen, it was accessed from Malaysia from the IP address 118.100.122.223.) This apparent use of old Skype credentials, as far as I know, should have been impossible, since my account had already been “upgraded”. (I can’t even remember my old Skype password because it’s been so long since I’ve used it.)

When I woke up I had received the standard “Someone else might have accessed your Microsoft account” email and text message, and quickly isolated the problem to Skype. So that part of the functionality did work, i.e. that I was informed of the account intrusion. I was able to erase the messages sent, and based on your post and others I disabled account login from my Skype alias, but something is still seriously wrong here. Luckily it does not seem that they were able to access other areas of my Microsoft account (OneDrive, etc.), but they SHOULD NOT have been able to access my account without pushing my two factor authentication.

There is something else still odd here, which leads me to believe that there are still issues: when I go to my “Skype account settings” page online, which I log into now through my Microsoft account primary alias, I am first still given the option to “change Skype password,” which then of course redirects me to the Microsoft account password change, as it should. Still odd that it is there.

But then, if I attempt to update my Skype profile, I am prompted for a password, and my Microsoft password DOES NOT work here. It still seems to want my old Skype password from over a year ago. (Which, again, I don’t remember.) So there is clearly something wonky happening on the Microsoft side.